On 15 April 2012 18:48, Lynn McLeod <[email protected]> wrote: <snip> > I assume the app-specific password we need for Pidgin is for google talk. > > Maybe we will start over and create new google accounts without the 2-step > verification. It's a pain.
If 2-step verification is turned on, Google demands a 2nd auth token for anything that tries to use your main account password. This is a good idea, because that password has the power to change settings, setup forwarding rules, see all your browsing history, other Google services you used, what the friends of your friends are upto etc. As far as I'm aware this only works for browser-based authentication. For application authentication (GMail on your phone, Google Talk on the desktop, Pidgin on your laptop etc) you need an application-specific password. Such passwords do not allow full access to your Google profile, and are therefore safer to save on untrusted devices that might fall in the wrong hands. Google don't advertise the fact that a single "application-specific" password can in fact be used across many different applications. Presumably to stop people creating a single "application specific" password and using it for all their apps which would defeat part of the purpose. If you take application-specific passwords at face value and treat them as unique and specific to one instance of one application, you've bought yourself a little extra security. Let's say you use Pidgin on 2 laptops and you have a unique application-specific password for each Pidgin instance accessing the Google Talk service on each laptop, e.g. "Pidgin on Toshiba Laptop" and "Pidgin on work PC". Your laptop gets stolen. No biggie - just login to your Google account with a browser with your main password and deactivate that particular password. Your Google account is not exposed. To sum up, think of your "main" Google password as your administrative password and your "application specific" password(s) as "regular user" passwords. You can (and probably should) have many of the latter. Google try to strike a balance between security & usability with this model. If protecting your users' main accounts is not a big deal, by all means revert to standard single-factor auth and everything will play nicely with the same password. It will be similar to the convenience of allowing all your users to go about their regular work tasks using administrator accounts on Windows. Sometimes it's the only thing you can do. Alex _______________________________________________ [email protected] mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
